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TO ALL WHOM IT MAY CONCERN: 

Be it known that we, Olivier Paul, a citizen of FRANCE, residing at Route 
de Gouze, 64370 Arthez de Beam, FRANCE, and Sylvain Gombault, a citizen of FRANCE, 
residing at 22, rue marie Rouault, 35000 Rennes, FRANCE, and Maryline Laurent 
Maknavicius, a citizen of FRANCE, residing at 1 6, villa la Bruyere, 91080 Courcouronnes, 
FRANCE, Joel Lattmann, a citizen of FRANCE, residing at 7bis, rue de Malnoue, 77420 
Champs sur Marne, FRANCE, and Christian Duret, a citizen of FRANCE, residing at 1 08, 
avenue de la Paix, 92320 Chatillon, FRANCE, and Herve Guesdon, a citizen of FRANCE, 
residing at 9, rue Servan, 38000 Grenoble, FRANCE, have invented a new and useful 
Method for Configuring A Trie Memory for the Processing of Data Packets, and 
Packet-Processing Device Implementing Such A Method, of which the following is a 
specification. 



METHOD FOR CONFIGURING A TRIE MEMORY FOR THE PROCESSING 



OF DATA PACKETS, AND PACKET -PROCESSING DEVICE 
IMPLEMENTING SUCH A METHOD 

BACKGROUND OF THE INVENTION 

5 The present invention relates to a method for 

processing data packets according to rules applied to 
each data packet, on the basis of data contained in 
H; this packet. 

O It relates more particularly to a method for 

nft 

fTj 10 configuring a particular memory device used for the 
CP processing of data packets. 

SJ International patent application WO 02/09367 

JL discloses an access control device for ATM networks, 

fij This device comprises an access controller which con- 

fy 15 figures traffic analysers in order to process, one by 
f-j one, the carrier cells of the ATM traffic. The traffic 

HJ analysers operate by analysis of the content of the 

ATM-traffic-carrier cells, associating routing refer- 
ences with them by means of a Trie-type associative 
20 memory. Such devices can also be used in IP routers, 
security devices (Firewall), traffic-measuring devices, 
etc. Depending on the application, the processing allo- 
cated to each data packet may be an addressing of this 
packet, a change of data of this packet, the recording 
25 of an item of information established on the basis of 
this packet, or, in general, an action determined on 
the basis of the content of this packet. 

The benefit in the use of a Trie-type memory is 
of allowing rapid analysis, in any order, of parts of 
30 the contents of the traffic-carrying cells. Such a mem- 
ory and its use in the analysis of data packets are de- 
scribed in the Patent Application EP-A-1 030 4 93 or US 
Patent Application S.N. 09/493,583, which is incorpo- 
rated herein by reference. 

35 The configuration of the Trie memory is imple- 

mented within the access controller. 
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SUMMARY OF THE INVENTION 

An object of the present invention is to obtain 
a configuration of this memory which makes it possible 
to assign processing appropriate to each data packet on 
5 the basis of parts of its content. 

The invention proposes a method for configuring 
a Trie-type associative memory for the processing of 
data packets based on a set of rules, the Trie memory 
being used for analyzing binary strings situated at de- 
; 10 fined locations in each data packet. Each rule attrib- 
utes an action to a packet based on the values of the 
binary strings. The Trie memory includes registers made 
up of a defined number of individual cells for receiv- 
ing respective references. The method comprises the 
15 steps of: 

a- translating the set of rules into a packet analy- 
sis tree, comprising nodes distributed into suc- 
cessive stages respectively associated with the 
locations considered in a defined order, arcs and 
20 leaves corresponding to actions which can be at- 

tributed by the rules, the first stage of the 
tree comprising a single node called root node of 
the analysis tree, 

each arc having a start node and an arrival 
25 point consisting either of a node of the stage 

following that of said start node or of a leaf, 
and being associated with a respective domain of 
binary string values possible at said location, 

the analysis tree defining paths each con- 
30 sisting of a series of n arcs, n being an integer 

at least equal to 1, the first arc of the series 
having as start node the root node of the analy- 
sis tree, 

the arrival point of each arc of a path other 
35 than the last arc being the start node of the 

following arc of said path, and the arrival point 



of the last arc of the path being a leaf corre- 
sponding to an action attributed according to the 
set of the rules to each packet having, at the n 
locations associated respectively with the stages 
of the start nodes of the n arcs of said path, 
binary string values falling into the n domains 
associated respectively with said arcs; 

b- allocating a group of registers of the Trie mem- 
ory, including a gatekeeper register, to each 
node of the analysis tree belonging to a stage 
associated with a location, and recording refer- 
ences in the cells of the group of registers such 
that, by analyzing from the gatekeeper register 
the binary string value contained at said loca- 
tion in a packet, a final reference is obtained 
depending on which domain contains the value from 
among the domains of values associated with the 
arcs having said node as start node and such 
that: 

if the arc associated with the domain con- 
taining the value has, as arrival point, a leaf 
corresponding to an action, the final reference 
designates the action as being attributed to the 
packet, and 

if the arc associated with the domain con- 
taining the value has another node of the follow- 
ing stage as arrival point, the final reference 
designates said other node so as to carry on by 
analyzing the binary string value contained in 
the packet at the location associated with said 
following stage. 

Such a mode of configuration of the Trie memory 
offers great flexibility in taking into account a wide 
diversity of rules for classifying the traffic, which 
may correspond to various actions to be undertaken on 
the data packets depending on the content of the loca- 



tions analysed. The paths of the tree correspond to 
analysis graphs which are run along by means of index- 
ing and indirection operations in the Trie memory thus 
configured. 

Such an organisation of the analysis structure 
makes it possible to guarantee that the duration of 
analysis of any data packet is limited by an upper 
bound fixed by the analysis of concern. This upper 
bound corresponds to the depth of the analysis tree, 
i.e. to the number of locations to analyse. This allows 
the operator of a communications network using the in- 
vention to carry out real-time processing of the data 
packets which are presented at the input of the traffic 
analyser by allocating sufficient analysis means. 

In a preferred embodiment of the method, the 
order considered in the step of construction of the 
analysis tree advantageously results from a sorting of 
the locations carried out after counting elementary in- 
tervals. For each of the locations, consecutive elemen- 
tary intervals are determined, covering binary string 
values possibly appearing at this location, each ele- 
mentary interval being such that the action attributed 
by each of the rules is not altered by a change, within 
said elementary interval, of the value of the binary 
string situated at said location in a processed packet. 
The sorting of the locations is then carried out in an 
order such that the location for which the largest num- 
ber of elementary intervals has been defined is placed 
last. In particular, it is possible to sort the loca- 
tions in the order of increasing numbers of elementary 
intervals . 

An advantage of such sorting of the locations 
lies in the minimizing of the size of the Trie memory 
necessary for the analysis of the content of each data 
packet, on the basis of which action is attributed to 
each packet according to the set of rules. Thus, a 
large number of data packets corresponding to a great 
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variety of actions attributed to each of them can be 
processed with a single operation of analysis of the 
contents of these packets. 

In general, a Trie memory takes the shape of a 
5 table whose rows, or registers, include a fixed number 
of cells, for example 4, 8, 16 or 32 cells. The size of 
the Trie memory then corresponds to the number of reg- 
isters of this memory. The above-mentioned embodiment 
of the present invention thus makes it possible to re- 
10 duce the number of registers necessary to carry out a 
given analysis of the content of the data packets. 

The method of configuring the Trie memory of 
the invention comprises the transcribing of the analy- 
sis tree into this memory in the form of references 

15 written into the cells of the memory. A large analysis 
tree generally requires a Trie memory of correspond- 
ingly greater size. It is consequently advantageous to 
design the analysis tree and its transcription in such 
a way as to reduce the necessary size of the Trie mem- 

20 ory. 

The number of stages of nodes of the analysis 
tree corresponds to the number of locations within data 
packets, at which the binary strings are to be read. 

It is possible to determine an upper bound of 

25 the dimension of the analysis tree as follows. The 
first stage of the analysis tree comprises the root 
node as single node. The second stage of the analysis 
tree comprises a number of nodes equal at most to the 
number of elementary intervals defined for the location 

30 placed first according to the order adopted for the 
locations. The number of nodes of the third stage of 
the analysis tree is at most equal to the product of 
the two numbers of elementary intervals defined respec- 
tively for the two locations with which the first two 

35 stages of nodes are associated. Recursively, the number 
of nodes of any stage of the analysis tree which is as- 



sociated with a given location is less than or equal to 
the product of the number of elementary intervals de- 
fined respectively for all the locations preceding the 
location with which the stage of concern is associated 
according to the sorting order of the locations. 

If N designates the number of locations of bi- 
nary strings defined in the data packets on which the 
analysis of the packets is based, the number of nodes 
of the last stage of the analysis tree is therefore 
less than the product of the (N-l) numbers of elemen- 
tary intervals corresponding to the first (N-l) loca- 
tions according to the order of sorting of the loca- 
tions. Put another way, it is less than the value equal 
to the product of all the numbers of elementary inter- 
vals divided by the number of elementary intervals of 
the last location according to this order. This value 
therefore constitutes an upper bound of the number of 
nodes of the last stage of the analysis tree, which 
corresponds to an upper limit on the size of the neces- 
sary Trie memory. For elementary intervals fixed for 
all the locations, this upper bound is smallest when 
the order of sorting of the locations is such that that 
one of the locations for which the largest number of 
elementary intervals has been defined is placed last. 

In certain applications of the method, the bi- 
nary strings read at said locations are numbers or val- 
ues comprising numbers. It is then particularly conven- 
ient to define the elementary intervals by complying 
with an order relationship between these numbers, or by 
using an order relationship matching the structure of 
the values read, in order to allow rapid configuration 
of the Trie memory. 

In an advantageous embodiment of the method, 
the translation of the set of rules into an analysis 
tree is such that at least one node of the analysis 
tree is the arrival point of a plurality of arcs origi- 
nating from distinct start nodes of the preceding 



stage. This achieves a compression of the classifica- 
tion structures defined in the Trie memory, which pro- 
vides a substantial space saving in this memory. 

For that, one may consider that a sub-tree is 
associated with each node of the analysis tree differ- 
ent from its root. This sub-tree has a root constituted 
by said node and is made up of the nodes, arcs and 
leaves encountered from said node along the various 
paths passing through said node. The translation of the 
set of rules is then operated in such a way that the 
analysis tree does not include first and second sub- 
trees having separate roots and such that their respec- 
tive nodes, arcs and leaves may be paired in such a way 
that each node of the first sub-tree is paired with a 
node of the second sub-tree belonging to a same stage, 
that each leaf of the first sub-tree is paired with a 
leaf of the second sub-tree corresponding to a same ac- 
tion, and that two paired arcs of the first and the 
second sub-trees have start nodes which are paired to- 
gether and arrival points which are paired together, 
and are associated with the same domain of values. 

Each rule may be defined by an action and by 
ranges of values respectively corresponding to at least 
some of the locations, and attribute said action to the 
packets having, at said locations, binary strings val- 
ues respectively falling into said ranges. In order to 
have a generic treatment of all the rules, the follow- 
ing care is taken : when, for a given location, a rule 
does not exhibit any explicit range, a range is added 
to this rule which corresponds to this location and 
which comprises all the binary string values which can 
be read in the data packets at this location. 

A subset of rules is then associated with each 
node of a (p+l)-th stage of the analysis tree, p being 
an integer greater than 0. This subset is composed of 
the rules of the set such that each range of values 
corresponding to a location associated with one of the 



p first stages of the tree has a non-empty overlap with 
the domain of values associated with the arc of each 
path passing through said node and having a start node 
in said stage. A subset consisting of the set of the 
rules can be considered to be associated with the root 
node. The translation of the set of rules preferably 
comprises the following steps for each node of the p-th 
stage associated with a first subset of rules: 

- determining domains of values covering binary 
string values possibly appearing at the p-th lo- 
cation considered in said order, whereby each do- 
main is such that the action attributed by each 
of the rules of the first subset is not altered 
by a change, within said domain, of the value of 
the binary string situated at the p-th location 
in a processed packet; and 

- for each of said domains of values : 

- generating an arc associated with said do- 
main, having said node of the p-th stage as 
start node; 

- detecting each rule of the first subset which 
is defined by at least one range of values 
including said domain; 

- if no rule detected, assigning a leaf of the 
tree corresponding to a default action as ar- 
rival point of said arc; 

- if, for each detected rule, no range of val- 
ues corresponds to any one of the locations 
following the p-th location in said order, 
assigning a leaf of the tree corresponding to 
an action of a detected rule as arrival point 
of said arc; 

- if, for at least one detected rule, a range 
of values corresponds to one of the locations 
following the p-th location in said order, 
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attributing a node of the (p+l)-th stage of 
the tree as arrival point of said arc, said 
node of the (p+l)-th stage being associated 
with a second subset composed of the detected 
5 rules of the first subset. 

Priorities may be respectively assigned to the 
rules of the set. In this case, when several rules are 
detected and none of their ranges of values corresponds 
n to one of the locations following the p-th location, 

0 10 the action corresponding to the leaf of the tree at- 

m 

£"i tributed to said arc is the action of one of the de- 

01 tected rules, selected on the basis of the assigned 
Jj priorities. 

For compressing the analysis tree the following 
fij 15 steps are executed, when at least one rule is detected 
?U having a range of values corresponding to one of the 

a locations following the p-th location: 

" - searching whether a node of the (p+l)-th stage of 

the tree associated with the second subset has 
20 already been generated; 

- if the search fails, generating such node in the 
(p+l)-th stage; 

- if the search identifies a node of the (p+l)-th 
stage, attributing the identified node as arrival 

25 point of said arc. 

The present invention also relates to a data 
packet processing device comprising a Trie-type asso- 
ciative memory and a controller configured to implement 
a method for configuring the Trie memory as disclosed 
30 hereabove. Such devices may especially be used in the 
following applications: 

- the routing, by a communications network, of data 
packets on the basis of routing rules applied to 
these packets; 



- the control of access to a communications network 
by data packets on the basis of rules for control 
of access to this network which are applied to 
these packets; 

- the acquisition of information relating to data 
packets transmitted by a communications network. 

The data packets may particularly be ATM cells 
carrying AAL 5 frames, or IP packets. 

BRIEF DESCRIPTION OF THE DRAWINGS 

Figure 1 is a block diagram of an access con- 
trol device in which the method of the invention is im- 
plemented. 

Figure 2 is a table describing information 
processed by traffic analysers of the device of Figure 
1. 

Figure 3 represents an analysis tree resulting 
from two particular rules applied to pairs of numbers 
(x, y) , and not using the sorting of the locations ac- 
cording to the first improvement of the present inven- 
tion . 

Figure 4 represents a second analysis tree cor- 
responding to the rules given for the analysis tree of 
Figure 3, using the sorting of the locations according 
to the first improvement of the invention. 

Figure 5 represents an analysis tree resulting 
from three particular rules applied to triplets of num- 
bers (x, y, z) , and not using the sorting of the loca- 
tions according to the first improvement of the present 
invention . 

Figure 6 represents a second analysis tree cor- 
responding to the rules given for the analysis tree of 
Figure 5, using the sorting of the locations according 
to the first improvement of the present invention. 



Figure 7 represents a third analysis tree cor- 
responding to the rules given for the analysis tree of 
Figure 5, furthermore using groupings of matching sub- 
trees . 

Figure 8 is a block diagram of the steps for 
creating a new arc according to the second improvement 
of the invention. 

Figure 9 represents a fourth analysis tree cor- 
responding to the rules given for the analysis tree of 
Figure 5, using the sorting of the locations and the 
method for creating new arc of Figure 8. 

DETAILED DESCRIPTION OF THE INVENTION 

The structure of an access control device ar- 
ranged between two ATM (Asynchronous Transfer Mode) 
transmission networks, in which the method of the in- 
vention can be employed, is described in detail in the 
aforesaid international patent application WO 02/09367. 
As indicated in Figure 1, an access control device may 
be made up of two main parts 1, 2, operating jointly 
with an ATM switch 3. The first part 1 is dedicated to 
giving effect to an access control policy and to the 
analysis of the ATM signalling. The result of this 
analysis is used to construct a configuration dynami- 
cally. This is used by the second part 2 in order to 
provide an access control service based on the informa- 
tion transported in the ATM cells. This second part 2 
is capable of recovering the ATM- , IP- and transport- 
level information so as to decide whether a communica- 
tion should be authorized or prohibited. The configur- 
ing of the assembly is achieved by way of a unique lan- 
guage . 

The part 1 can be formed by means of a work- 
station, such as a station marketed by the company Sun 
Microsystems, Inc. The signalling analyser 4 is the 
element of this part 1 which carries out the access 
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control actions in terms of the ATM signalling in com- 
bination with the access control manager 7. 

The part 2 may be formed by means of a PC-type 
station operating, for example, with the Solaris x86 
operating system. This station is equipped with cards 
20, 21 for real-time analysis of the ATM cells, or 
traffic analysers, called I FT (IP Fast Translator) 
cards below, which carry out the access control actions 
ATM cell by ATM cell. 

In order to allow the expression of access con- 
trol policies, an Access Control Policy Description 
Language (ACPDL) is used. The definition of the ACPDL 
is based on the Policy Description Language (PDL) which 
is in progress to be defined within the working group 
dealing with policies at the IETF (see J. Strassner, et 
al., Policy Framework Definition Language, draft-ietf- 
policy-framework-pfdl-OO.txt, Internet Engineering Task 
Force, 17 November 1998) . In this language, a policy is 
defined by a set of rules, each rule itself consisting 
of a set of conditions and of an action which is car- 
ried out when all the conditions are fulfilled. The 
following expression (expressed in the Backus Naur for- 
malism, BNF) describes the general form of a rule: 

Rule : : = IF <Conditions> THEN <Action> 

All the conditions have the same generic struc- 
ture expressed below by means of the BNF formalism: 

Condition : : = <ACCESS CONTROL PARAMETER> 

<RELATIONAL OPERATOR> <VALUE> 

Depending on the level in the protocol stack, 
several types of access control parameters can be used: 

- at the ATM level, the parameters of interest are 
described in the article by 0. Paul, et al., 
"Manageable parameters to improve access control 
in ATM networks", HP-OVUA Workshop, Rennes, 



France, April 1998. Among these parameters it is 
possible to choose the type of traffic, the con- 
nection identifiers, the addressing information, 
the QoS descriptors and the service descriptors; 

- at the transport level, most of the parameters 
considered are those which are usually used in 
order to carry out the filtering of the packets 
in the filtering routers (for example the ad- 
dressing information, the source and destination 
ports, the flags in the case of TCP connections, 
etc) ; 

- at the application level, two generic parameters 
are considered: the identifier of the user of the 
application as well as the state of the applica- 
tion; 

- time-domain information is also included so as to 
specify when a rule has to be applied. 

The actions likewise have a generic structure 
(BNF notation) : 

Action : : = <ACT10N> <ACTION LEVEL> <LOG LEVEL> 

An action is divided into three parts. The 
first indicates whether the communication described by 
the conditions should be permitted or denied. The pa- 
rameter <ACTION LEVEL> corresponds to the protocol 
layer in which the action has to be carried out. The 
last part describes the importance accorded to the ac- 
cess control event and allows classification of the re- 
sults . 

The following paragraph shows how the ACPDL 
language can be used in order to express an access con- 
trol service example. In this example, each item of 
equipment is identified by its source address 
(IP SRC ADDRESS) and its destination address 
(IP DST ADDRESS) . The WWW service is identified by the 
source (SRC_PORT) and destination (DST_PORT) ports. The 



second command line given in the example is used so as 
to prohibit requests for connection to the WWW port of 
an internal station. 

IF (IP_SRC_ADDRESS = 192.165.203.5 255.255.255.255) AND 

(IP_DST_ADDRESS = 0.0.0.0 0.0.0.0) AND (SRC_PORT > 

1023) AND (DST_P0RT = 80) THEN PERMIT 
TRANS P_CONNECT I ON ; 

IF (IP_SRC_ADDRESS = 0.0.0.0 0.0.0.0) AND 
(IP_DST_ADDRESS = 1 92 . 1 65 . 203 . 5 2 55.255.255.255) AND 

(SRCJPORT = 80) AND (DST_PORT > 1023) AND (TCP__FLAG < > 

SYN) THEN PERMIT TRANS P_CONNECT I ON ; 

The access control policy is defined by the se- 
curity officer by means of a man-machine interface 
(MM I) 6 of the station 1, by using the ACPDL language. 
It is used to configure the two parts of the control- 
ler. However, this policy cannot be used directly by 
the two access control tools 4, 20/21. The manager 7 is 
the module which makes it possible to solve this prob- 
lem by translating the access control policy into con- 
figuration commands for the two tools. 

This translation process can be divided into 
two main parts. The first one is the translation of the 
policy into three static configurations: 

- at the level of the ATM signalling, this configu- 
ration comprises a description of the communica- 
tions which have to be controlled. Each communi- 
cation is described by a set of information ele- 
ments (IE) and by an action (Permit or Deny) . 
This configuration is sent to the signalling ana- 
lyser 4; 

- at the TCP/IP level, the configuration comprises 
a description of the packets which have to be 
controlled. This part of the policy can be ge- 
neric, which means that the rules which are de- 
scribed there are not dedicated to a particular 
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ATM connection. This part can also be related to 
an ATM connection by the expression of conditions 
bearing on connection identifiers; 

- at the ATM cell level, the configuration com- 
prises a description of the ATM cells which have 
to be controlled. These cells are divided accord- 
ing to the fields they can contain. The set of 
values each field can take is described by a 
tree. This configuration is sent to the 1FT cards 
20, 21. 

The second part of the configuration process 
takes place when a connection request is received by 
the signalling analyser 4. Once the access control pro- 
cess has been carried out, the signalling analyser 4 
sends the manager 7 the necessary information for car- 
rying out the dynamic configuring of the I FT cards 20, 
21. The information supplied by the signalling analyser 
4 comprises: 

- the VPI and VCI (Virtual Path Identifier, Virtual 
Channel Identifier) connection identifiers; 

- the source and destination ATM addresses; 

- a service descriptor (Classical IP over ATM 
(CLIP) , ATM native applications) . When an addi- 
tional layer is used above the ATM model, the 
signalling analyser 4 also supplies the encapsu- 
lation (with or without SNAP/LLC header) ; 

- the direction of the communication. 

In a CLIP environment, the manager 7 uses the 
source and destination ATM addresses in order to find 
the corresponding IP addresses. This translation is 
carried out by means of a file describing the corre- 
spondences between IP and ATM addresses. It may also 
use an address-resolution server (ATMARP) . 

The manager 7 next tries to find a correspon- 
dence between the IP addresses and the generic rules of 
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TCP/IP level access control. The subset of rules ob- 
tained is instanced with the IP addresses and associ- 
ated with the other information (addresses, encapsula- 
tion, connection identifiers, direction) . This set of 
5 information is used by the manager so as to construct 
the analysis tree which will be used to configure the 
I FT cards, and it is kept all along the life of the 
connection. On closure of the connection, the manager 7 
iu receives a signal from the signalling analyser 4 so as 

5 10 to reconfigure the IFT cards 20, 21 as appropriate by 
m erasing the information relating to the connection. The 

W manager next destroys the information associated with 

% the connection. 

The signalling analyser 4 is based on two func- 
Q 15 tions . The first one is the redirection of the signal- 
jJ"J ling messages originating from the internal and exter- 

jjl nal networks towards a filter belonging to the analyser 

O 4. The second one is the capability of splitting the 

signalling messages according to the UNI 3.1 specif ica- 
20 tion of the ATM Forum (ATM User-Network Interface 
Specification, Version 3.1, ATM Forum, July 1994) and 
of transmitting or deleting these messages on the basis 
of the access control configuration supplied by the 
manager 7 . 

25 The station 1 is provided with two ATM inter- 

face cards 8, 9 linked respectively to two interfaces 
12, 13 of the switch 3. The other interfaces repre- 
sented of the switch 3 are denoted 10 (internal net- 
work), 11 (external network), 14 and 15 (IFT cards 20 

30 and 21) . 

In order to redirect the signalling, the ATM 
switch 3 is configured in such a way as to forward the 
signalling messages to the station 1. This configura- 
tion can be achieved by deactivating the signalling 
35 protocol on the interfaces 10, 11, 12 and 13. A virtual 
channel (VC) then has to be constructed between each 
pair of interfaces for each signalling channel. The 
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signalling channels are identified, for example, by a 
virtual-channel identifier (VCI) equal to 5, 

With the preceding configuration, the signal- 
ling messages originating from the external network are 
5 forwarded to the interface 13 of the station 1 while 
the messages originating from the internal network are 
forwarded to the interface 12. 

When signalling messages are received by the 

signalling analyser 4, they are split into information 
O 10 elements according to the UNI specification 3.1. The 

information elements are then split into basic informa- 
yl tion such as the addresses, the connection identifiers, 

the call reference, the quality-of-service descriptors 
- and the service identifiers. The analyser 4 next ascer- 

P 15 tains whether the message can be associated with an ex- 
J=y isting connection by means of the type of the message 

Ul and of the call reference. If the connection is new, a 

connection descriptor containing this information is 

i : .§J: 

constructed. When the connection already exists, the 
20 connection descriptor is updated. The connection de- 
scriptor is associated with the status of the connec- 
tion and with the interface of origin. It is identified 
by a connection identifier. The descriptor is then sent 
to the filter of the signalling analyser 4 in order to 
25 be analysed. 

When the filter of the signalling analyser 4 
receives a connection descriptor, it compares the pa- 
rameters describing the connection with all the commu- 
nications described by the access control policy. If a 

30 correspondence is found, the filter applies the action 
associated with the communication. In the opposite 
case, it applies the default action which is that of 
prohibiting the connection. When the action consists of 
a prohibition, the filter destroys the connection de- 

35 scriptor. In the opposite case, it sends the connection 
descriptor to a message-construction module. When the 
connection descriptor indicates that a CONNECT message 
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has been received, a subset of the parameters of the 
connection descriptor is sent to the manager 7 as indi- 
cated above: 

- the VPI/VCI connection identifiers, obtained from 
the Connection Identifier IE; 

- the source and destination ATM addresses, sup- 
plied by the Called Party Identifier and Calling 
Party Identifier IEs; 

- the service descriptors, obtained from the Broad- 
band Higher Layer Identifier (BHLI) and Broadband 
Lower Layer Identifier (BLLI) IEs; 

- the direction, supplied by the name of the inter- 
face associated with the connection descriptor. 

When the connection descriptor indicates the 
reception of a RELEASEJCOMPLETE message, which com- 
pletes the release of a connection, the connection de- 
scriptor is again sent to the manager 7. Communication 
between the manager 7 and the signalling filter can be 
carried on in the conventional way by means of a shared 
memory segment and of signals. 

The I FT cards considered here for implementing 
the invention are of the type described in the European 
Patent Application number 00400366.1 filed on Febru- 
ary 9, 2000 by the Applicant. They are based on the use 
of a Trie-type associative memory for the analysis of 
parts of the content of ATM cells, and for the assign- 
ing to each cell of an action defined by the access 
control policy. These cards possess the following note- 
worthy characteristics: 

- they allow the analysis of the first cell of each 
AAL5 (ATM Adaptation Layer No 5) frame, and the 
modification of the corresponding cells on the 
basis of the analysis; 



- they can operate at a speed of 622 Mbit/s by vir- 
tue of a rapid and flexible method of cell analy- 
sis; 

- the delay introduced by the analysis can be 
bounded and depends on the configuration of the 
card; 

- they can be configured dynamically without inter- 
rupting the analysis process; 

- they can be integrated into PC-type equipment op- 
erating under Solaris. 

Figure 2 describes the information which can be 
analysed by the I FT cards 20, 21 in the case of the 
CLIP (CLIP1) and CLIP without SNAP-LLC encapsulation 
(CLIP2) protocols. The UD and TD fields indicate the 
start of the data segments in the case of the UDP and 
TCP protocols, respectively. This means that, in the 
general case, the I FT cards have access to the informa- 
tion at ATM, IP, TCP and UDP level and, in certain 
cases, information at application level. It should be 
noted, however, that the optional fields possibly pre- 
sent in the IP packet are not represented. The presence 
of these fields (of variable length) may push back the 
TCP- or UDP-level information in the second ATM cell. 

As in the case of the signalling, the first 
part of the access control process at the ATM cell 
level consists in redirecting the traffic originating 
from the internal and external networks to the I FT 
cards 20, 21. However, in this case, the configuration 
has to preserve the configuration implemented for the 
control of the signalling. By way of example, the vir- 
tual channels identified by a VCI value equal to 31 are 
deliberately left free so as to allow the ATM switch 3 
to reject the ATM cells belonging to a communication 
which has to be prohibited. The ATM switch 3 is then 
configured so as to create a virtual channel for each 
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value of VCI other than 5 and 31 between each interface 
pair (10, 14) and (11, 15) . 

The IFT cards of concern allow only the analy- 
sis of unidirectional streams. That means that the 
5 streams originating from the internal and external net- 
works have to be separated. This operation is particu- 
larly simple in the case of a physical layer of the 
Mono Mode Fibre type used by the cards, since the send- 
ing and receiving fibres are physically separated. 

10 The second part of the access control process 

is the configuring of the IFT cards 20, 21, so that 
they supply the desired access control service. As in- 
dicated above, this configuring is done by the manager 
7. The IFT cards have been designed at the outset to be 

15 managed remotely by several managers. Appropriate soft- 
ware 27 (RPC Daemon) is then used in the station 2 in 
order to serialize the demands addressed to the control 
circuit 28 (driver) of the cards 20, 21. At the manager 
7 end, a library gives access to the configuration 

20 functions. This library translates the local calls into 
remote calls on the station 2. The communications be- 
tween the two items of equipment are achieved, for ex- 
ample, via a dedicated, Ethernet-type network. 

The configuring of the Trie memories of the 

25 cards 20, 21 is based on a description of the communi- 
cations to be controlled in the form of trees. Each 
branch of the tree describes the coded value of a bi- 
nary string, for example of 4 bits, which can be found 
during the analysis process. This process consists in 

30 scanning the ATM cell portion to be analysed in seg- 
ments of 4 successive bits serving for access to the 
content of the Trie memory included in each IFT card. 
An analysis tree, constructed on the basis of an access 
control instruction supplied by the manager 7, corre- 

35 sponds to a given series of segments of 4 bits found at 
defined locations by scanning the ATM cell. The root of 
the tree corresponds to a gatekeeper which is recog- 



nized so as to begin the analysis of the tree. Examples 
of analysis trees and of resultant configurations of 
Trie memories of I FT cards are now presented. 

In a general way, each location to be analysed, 
or field, comprises a number of bits fixed by the size 
of this field, for example 32 bits. Its analysis in 
segments is carried out in such a way that the values 
which each segment can take correspond to the individ- 
ual cells of one or more registers of the Trie memory 
used. A quartet, which may take 2 4 = 16 values, is par- 
ticularly adapted to a Trie memory in which each regis- 
ter comprises 16 individual cells. Several registers, 
or even a large number of registers, are therefore nec- 
essary for the analysis of a field, depending on the 
size of this field with respect to the number of indi- 
viduals cells of a register. 

The analysis of a field in general comprises 
the analyses of a large number of segments of bits, 
achieved successively until going on to the analysis of 
another field of the same cell, or until an action at- 
tributed to the cell analysed by the access control 
policy is obtained. For the sake of simplicity and of 
clarity of illustration of the invention, although this 
does not correspond to a real situation, the examples 
presented thereafter each include only a single quartet 
for each field on which the analysis bears. For the 
same reasons of simplicity and of clarity, the number 
of rules considered and the number of fields taken into 
consideration for the analysis are very restricted, al- 
though a real access control policy may comprise numer- 
ous access rules bearing on a larger number of fields 
of control-protocol information. 

A first example is given for two fields x and y 
read in ATM cells, represented by (x, y) pairs. The bi- 
nary strings read in the fields x and y are quartets 
represented by hexadecimal numbers lying between 0 and 
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The rules considered, which are two in number, 
are as follows: 

- Rule Rel: if x > 7 and 3 < y < 8, then an action 
Al is carried out; 
5 - Rule Re2: if 2 < x < B and y > 3, then an action 

A2 is carried out. 

The rule Rel is assumed to have priority with 
respect to the rule Re2, so that the action Al is car- 
ried out alone when it is attributed simultaneously 
10 with the action A2 to the same pair (x, y) , respec- 
tively by each rule. If the condition of none of the 
two rules Rel and Re2 is complied with by a given pair 
(x, y) , then a default action 0 is attributed to this 
pair . 

15 The actions Al, A2 and O may be simple actions 

of rejection (DENY) or acceptance (PERMIT) of the 
cells. They may also correspond to more complex ac- 
tions, such as continuing with the control of access 
via the examination of other parameters such as author- 

20 . ized domains attributed to an addressee of the cell of 
concern . 

The action of rejection or of acceptance is 
coded by means of a particular node causing the end of 
the analysis and returning the connection identifier 

25 which will be attributed to all the cells of the corre- 
sponding AAL 5 frame. The DENY action is coded by di- 
recting the frame to the non-configured channel (VCI 
31) within the switch 3. The VCI 31 is thus used as a 
dustbin VCI into which to dump all the ATM cells not in 

30 accordance with the security policy. The PERMIT action 
is coded by leaving the connection identifier un- 
changed. 

The set of numbers which may be read in the x 
field is distributed by the rules Rel and Re2 into the 
35 following 4 intervals: x<2, 2 < x < 7, 7 < x < B and 
x > B. In a similar way, the set of numbers which may 
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be read in the y field is distributed into the follow- 
ing 3 intervals: y < 3, 3 < y < 8 and y > 8. 

An analysis tree resulting from the application 
of the two rules Rel and Re2 to the (x, y) pairs is 
5 represented in Figure 3, by first of all analyzing the 
value of x, then the value of y. The root node 100 rep- 
resents the start point of the analysis of the (x f y) 
pairs. Three nodes 101, each linked to the root node 
M= 100 by an arc 130, correspond to results of the analy- 

S 10 sis of the value of x with respect to the 4 intervals 
OS identified for x. Nodes 102, or leaves of the analysis 

ass 

JJ: tree, which are linked to the nodes 101 by arcs 131, 

,p correspond respectively, for the preceding results of 

the analysis of the value of x, to the results of the 
□ 15 analysis of the value of y with respect to the 3 inter- 

ril vals identified for y. For certain values of x, for ex- 

ill 

S ample x < 2, the analysis of the (x, y) pairs does not 

3 require analysis of the value of y in order to deter- 

y mine the action attributed by the two rules Rel and 

20 Re2. In this case, an arc 131 directly links a leaf 102 
to the root node 100. In other cases, 2 < x < 7 and 
x > B, the analysis of the value of y does not involve 
all the bounds of intervals defined for y. This is be- 
cause certain intervals defined for y can be combined 
25 together when they correspond to the same respective 
actions attributed by the two rules. 

Rows 110 and 111 respectively indicate the 
leaves 102 to which the action A2 and/or the action Al 
is attributed by the rules Re2 and Rel, considered 
30 separately from each other. 

Finally, depending on the priority of these ac- 
tions, a row 120 indicates the action AA corresponding 

to each leaf 102 resulting from the application of the 

two rules Rel and Re2 combined. Thus, the row 120 re- 

35 peats the row 111, with filling with the action A2 for 

those of the leaves 102 to which the row 110 allots the 

action A2 whereas the row 111 does not allot any ac- 
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tion. Further, the row 120 allots the default action O 
to the leaves 102 which are not considered in any of 
the rows 110 and 111. 

A Trie memory is used, the successive registers 
5 RO, Rl, R2, etc. of which all comprise sixteen individ- 
ual cells. An example of configuration of this Trie 
memory corresponding to the analysis tree of Figure 3 
is as follows: 
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In this configuration of the Trie memory, the 
10 gatekeeper register RO is attributed to the analysis of 
the value of x, and the registers Rl, R2 and R3 to the 
analysis of the value of y. RO is therefore the regis- 
ter by which the analysis of each (x, y) pair is 
started. Depending on the value of x of the (x, y) pair 
15 analysed, the register RO forwards to one of the regis- 
ters Rl, R2 or R3 in order to continue with the analy- 
sis. The latter register then indicates, depending on 
the value of y of the (x, y) pair analysed, the action 
to be carried out associated with the leaf 102 of the 
20 analysis tree at which that path arrives which corre- 
sponds to the successive results of the analyses of x 
and of y. According to this configuration, 4 Trie- 
memory registers are necessary in order to allow the 
analysis of all the possible (x, y) pairs. 

25 By first of all analyzing the value y, then the 

value x, for application of the same rules Rel and Re2, 
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an analysis tree as represented in Figure 4 is ob- 
tained. References which are identical between Figures 
3 and 4 correspond to identical meanings. In Figure 4, 
the intermediate nodes 103 correspond to the results of 
the analysis of the value of y, carried out first, when 
the analysis of the value of x has to be carried out 
next. For each pair of numbers (x, y) , this tree indi- 
cates the same result as the tree of Figure 3 for ap- 
plication of the rules Rel and Re2, in the form of the 
action AA indicated by the row 120. 



By applying the same method as before, on the 
basis of the analysis tree of Figure 4, for the con- 
figuration of the Trie memory, there is obtained: 
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Thus the sorting of the two locations x and y 
according to the first improvement of the invention 
makes it possible, in this example, to reduce by one 
register the size of the Trie memory which is necessary 
to allow application of the same processing rules. 



A second example relates to a set of rules ap- 
plied to triplets of numbers (x, y, z), each of these 
numbers still being a hexadecimal number: 

- Rule Rel: if x > A and 3 < z < 8, then an action 
Al is carried out; 

- Rule Re2: if x > 5 and 2 < y < 9 and z > 6, then 
an action A2 is carried out; 



- Rule Re3: if 3 < x < C, then an action A3 is car- 
ried out. 

In this example, • the relationship of priority 
among the three rules is Re2 > Rel > Re3. Only the 
highest-priority action is still finally attributed to 
each triplet, from among the actions attributed by each 
of the three rules considered separately. A default ac- 
tion 0 is still attributed to a triplet (x, y, z) which 
complies with the conditions of none of the three 
rules . 

These three rules define 5 intervals for the x 
field: x<3, 3 < x < 5, 5<x<A, A < x < C, and 
x > C, 3 intervals for the y field: y < 2, 2 < y < 9, 
and y > 9, and 4 intervals for the z field: z < 3, 
3 < z < 6, 6 < z < 8, and z > 8. 

Figure 5 represents an analysis tree corre- 
sponding to the foregoing three rules Rel, Re2 and Re3, 
first of all analyzing the value of x, then the value 
of y, and finally the value of z. This analysis tree is 
constructed in the same way as the trees of Figures 3 
and 4. The references 100 and 120 possess the meanings 
already introduced. Nodes 104 correspond to the results 
of the analysis of the value of x which does not make 
it possible directly to determine the action attributed 
by each rule, namely 5<x<A, A < x < C and x > C. 
Likewise, nodes 105 correspond to the results of the 
analysis of the value of y when the analysis of the 
triplets has to be further continued by the analysis of 
the value of z. Depending on the paths, the leaves 106 
of the analysis tree are linked by direct arcs to the 
nodes 100, 104 or 105. 

Rows 112, 113 and 114, for each of the leaves 
106, indicate the actions attributed respectively by 
each of the three rules, taken in increasing order of 
priority. A row 120 designates the final action attrib- 



uted to each triplet (x, y, z) on the basis of the pri- 
ority among the actions indicated by the three rules. 

A Trie memory is still used, for example, with 
sixteen individual cells per register. In this case, 
the configuration of the Trie memory, according to this 
first analysis tree, requires as many registers as 
there are nodes 100, 104 or 105, i.e. 9 registers in 
total . 

An example configuration of this Trie memory 
corresponding to the analysis tree of Figure 5 is as 
follows : 
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Likewise, Figure 6 represents an analysis tree 
corresponding to the rules Rel, Re2 and Re3, analyzing 
the value of y first of all, then the value of z, and, 
lastly, that of x, in accordance with the increasing 
order of the number of intervals defined respectively 
for x, y and z. Two intermediate nodes 107 correspond 
to the results of the analysis of the values of y, car- 
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ried out first, and six intermediate nodes 108 corre- 
spond to the results of the analysis of the values of 
z, carried out next. 

In this analysis tree of Figure 6, the sub- 
5 trees corresponding to the results of the subsequent 
analyses of y then z [ (y < 2 or y > 9) and (z < 3 or 
z > 8) ] on the one hand, and [2 < y < 9 and z < 3] on 
the other hand, are matching. Likewise for the sub- 
trees [ (y < 2 or y > 9) and 3 < z < 8] on the one hand, 

O 10 and [2 < y < 9 and 3 < z < 6] on the other hand. More- 

m 

JJt over, in Figure 6, the actions AA attributed on the ba- 

il y 

m sis of the value of x, according to the row 120, for 

+■ values of y and z such that [2 < y < 9 and 6 < z < 8] on 

9 " the one hand and [2 < y < 9 and z > 8] on the other 

O 15 hand are identical. The analysis tree of Figure 7 then 
m corresponds to that of Figure 6, grouping the matching 

1/1 sub-trees together, 

fy The configuration of the Trie memory, according 

to this last analysis tree, requires as many registers 

20 as there are nodes 100, 107 or 108, i.e. 6 registers in 
total. Thus, 3 Trie-memory registers have been saved by 
comparison with the configuration of the Trie memory 
arising from the analysis tree of Figure 5. An example 
configuration of the Trie memory which corresponds to 

25 the analysis tree of Figure 7 is: 
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Figure 8 shows in detail the various steps for 
creating a new arc of the analysis tree according to 
the second improvement of the method of the invention, 
which avoids, from the building of the analysis tree, 
5 the creation of matching sub-trees. The issue is to de- 
termine the arrival point of a new arc originating from 

a node NP of a p-th stage of the analysis tree, and as- 
sociated with a particular domain D for the location Ep 

associated with the p-th stage. 

10 The method described is applied in a recurrent 

way at each stage of the analysis tree, taken according 
to the order of the locations respectively associated 
with the stages. This method generates the nodes of the 
analysis tree, at the same time it attributes to each 

15 created node a subset of rules. So, before the imple- 
mentation of the present method to the node NP, a sub- 
set {Rj} of rules is already associated with this node, 

j being a numbering integer. 

It is assumed that each rule Rj attributes an 

20 action when, for certain locations, the binary string 

read at this location is falling into a range of values 
specified by this rule. This formula of the rules Rj 

corresponds to that of the preceding examples. 
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Within a first question 200, those among the 
rules Rj having a range containing the domain D for 

which the arc is being constructed are searched. In 
case of none of the rules Rj possess a range containing 

5 the domain D, then the arrival node of the arc is a 
leaf 102, 106 associated with the default action 0, in 
accordance with the step 201. 

In the positive case, the second question 210 
consists in searching among the rules Rj x identified in 

10 the step 200, the rules Rj 2 having at least one range 
corresponding to a location E q following the location 
Ep in the sorting order of the locations. If none of 
the rules Rj 1 possesses any range corresponding to a lo- 
cation following Ep, then (step 211) the arrival point 

15 of the arc is a leaf 102,106 associated with the action 
of the rule of highest priority among the rules Rj x 

identified in the step 200. 

In case of rules Rj 2 are identified in the step 

210, a node NP +1 already created in the stage (p+1) of 
20 the analysis tree and associated with the subset {Rj 2 > 

of the identified rules is searched, in a step 220. If 
such node NP" 1 " 1 already created is found, this node is 
the arrival point of the new arc originating from the 
node NP (step 222) . If such node does not exist, a new 
25 node NP +1 is created in the stage (p+1) and associated 
with the subset { R j2^ °f the rules identified in the 

step 210 (step 221) . 

This analysis is repeated for each domain D de- 
termined for the location Ep, in order to derive the 

30 arc originating from the node Ep associated with each 

of them. It is then repeated in the same way for a next 
node of the p-th stage of the analysis tree, until 
there is no node left in this stage. Finally, it is re- 
peated again for all the nodes of the next stage (p+1) , 
35 in such a way to continue with constructing the analy- 
sis tree. 
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This method for creating new arcs is imple- 
mented for the construction of a fourth tree corre- 
sponding to the rules given by reference to Figure 5. 
In the same way as for Figure 6, the locations are 
5 sorted in an order according to the first improvement 
of the invention. The tree so obtained in represented 
on Figure 9. 

For each node of the tree, the subset of rules 
H< {R. 2 } associated with this rule is indicated. For the 

10 leaves 106, the row 121 indicates the rules Rj x which 

|P determine, on the basis of their relative priorities, 

m the actions associated with these leaves and indicated 

HP by the row 120. 

~ The various configuration examples of Trie 

b{ 15 memories presented in detail in this application show 
fy the benefit of the method of the invention for the con- 

figuration of a Trie memory. The sorting of the loca- 
tions, combined as appropriate with the regrouping of 
the matching analysis sub-trees, makes it possible to 
20 reduce the necessary number of registers of a Trie mem- 
ory used for assigning to ATM cells actions designated 
by fixed rules. The reductions obtained in the examples 
presented are in keeping with the simplicity of these 
examples. For real access control policies, the reduc- 
25 tions obtained by the application of the same princi- 
ples may be sizeable, depending, as the case may be, on 
the number of rules, the number and the size of the 
fields considered, and the elementary intervals associ- 
ated with the fields. 

30 Actually, the configuring of the Trie memory 

according to the invention is carried out in step with 
the introduction of new rules, or with the deletion of 
rules, within the access control manager. This manager 
comprises a compilation module which constructs and 

35 modifies the analysis trees on the basis of the updates 
of rules introduced, before modifying the existing con- 
figuration of the Trie memory. 



